github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1

Add profile templates

Browse source 
Create etc/templates
 * profile.template
 * redirect_alias-profile.template
 * syscalls.txt
 * Notes
This commit is contained in:
rusty-snake 2019-05-30 17:31:25 +02:00
parent 360b066fba
commit cb98aea61b
No known key found for this signature in database
GPG key ID: CE890C49EE1373C1
6 changed files with 172 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

19
README
View file

@ -566,24 +566,9 @@ rusty-snake (https://github.com/rusty-snake)
- added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap - added profiles: kid3-qt, kid3-cli, anki, utox, mp3splt, mp3wrap
- added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk - added profiles: oggsplt, flacsplt, cheese, inkview, mp3splt-gtk
- added profiles: ktouch, yelp - added profiles: ktouch, yelp
- fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse - many profile fixing and hardening
- fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool
- fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany
- fixed profiles: vim, emacs, pycharm-community, gedit, klavaro
- fixed profiles: default, mpv, authenticator, gramps, webstorm
- fixed profiles: freeoffice-planmaker, freeoffice-presentations
- fixed profiles: freeoffice-textmaker, code, newsboat, aosp, clion
- fixed profiles: android-studio, git, gitg, github-desktop, idea.sh
- fixed profiles: ffmpeg, thunderbird, gnome-system-log, file-roller
- fixed profiles: eog, eom, xiphos, firefox-common, libreoffice
- fixed profiles: ocenaudio, sysprof, exiftool
- hardened profiles: disable-common.inc, disable-programs.inc
- hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox
- hardened profiles: gnome-clocks, meld, minetest, youtube-dl
- hardened profiles: bibletime, whois, etr, display, feh, mpv, xiphos
- hardened profiles: gnome-chess
- gnome-mpv was renamed to celluloid
- some typo fixes - some typo fixes
- added profile templates
Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
- fixed ktorrent profile - fixed ktorrent profile
sarneaud (https://github.com/sarneaud) sarneaud (https://github.com/sarneaud)

3
RELNOTES
View file

@ -1,5 +1,6 @@
ffirejail (0.9.60) baseline; urgency=low firejail (0.9.60) baseline; urgency=low
* work in progress * work in progress
* profile templates
-- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500 -- netblue30 <netblue30@yahoo.com> Sun, 26 May 2019 08:00:00 -0500
firejail (0.9.60) baseline; urgency=low firejail (0.9.60) baseline; urgency=low

7
etc/templates/Notes Normal file
View file

@ -0,0 +1,7 @@
Notes
=====
* Lines with one # are often used
* Lines with two ## are only in special situation needed
* Add programs specific paths like .config/program to disable-programs.inc
* Add the name of the profile/program to src/firecfg/firecfg.config

82
etc/templates/profile.template Normal file
View file

@ -0,0 +1,82 @@
# Firejail profile for PROGRAM_NAME
# Description: DESCRIPTION
# This file is overwritten after every install/update
##quiet
# Persistent local customizations
#include PROFILE.local
# Persistent global definitions
#include globals.local
##ignore noexec ${HOME}
##blacklist PATH
#noblacklist PATH
# Allow python (blacklisted by disable-interpreters.inc)
#noblacklist ${PATH}/python2*
#noblacklist ${PATH}/python3*
#noblacklist /usr/lib/python2*
#noblacklist /usr/lib/python3*
#noblacklist /usr/local/lib/python2*
#noblacklist /usr/local/lib/python3*
#include disable-common.inc
#include disable-devel.inc
#include disable-exec.inc
#include disable-interpreters.inc
#include disable-passwdmgr.inc
#include disable-programs.inc
#include disable-xdg.inc
#mkdir PATH
#mkfile PATH
#whitelist PATH
#include whitelist-common.inc
#include whitelist-var-common.inc
#apparmor
#caps.drop all
# CLI only
##ipc-namespace
#machine-id
# 'net none' or 'netfilter'
#net none
#netfilter
#no3d
#nodbus
#nodvd
#nogroups
#nonewprivs
#noroot
#nosound
#notv
#nou2f
#novideo
#protocol unix,inet,inet6,netlink
#seccomp
##seccomp.drop SYSCALLS
#shell none
#tracelog
#disable-mnt
##private
#private-bin PROGRAMS
#private-cache
#private-dev
#private-etc FILES
# private-etc templates (see also #1734)
# Internet: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
# Sound: alsa,asound.conf,machine-id,openal,pulse
# GTK: dconf,fonts,gtk-2.0,gtk-3.0,pango,xdg
# KDE/QT: fonts,kde4rc,kde5rc,ld.so.cache,machine-id,Trolltech.conf,xdg
# GUIs: fonts
# Alternatives: alternatives
##private-lib LIBS
##private-opt NAME
#private-tmp
##env VAR=VALUE
#memory-deny-write-execute
##read-only ${HOME}
##join-or-start NAME

36
etc/templates/redirect_alias-profile.template Normal file
View file

@ -0,0 +1,36 @@
# Firejail profile for PRGOGRAM_NAME
# Description: DESCRIPTION
# This file is overwritten after every install/update
# Persistent local customizations
include PROFILE.local
# Persistent global definitions
# added by included profile
#include globals.local
#NOTE: let include globals.local commented
# Additional blacklisting (if needed)
#blacklist PATH
# Additional noblacklisting (if needed)
#noblacklist PATH
# Additional whitelisting (if needed)
#mkdir PATH
#mkfile PATH
#whitelist PATH
# Additional options if needed (see firejail-profile.example)
# Add programs to private-bin (if needed)
#private-bin PROGRAMS
# Add files to private-etc (if needed)
#private-etc FILES
# Ignore something that is in the included profile
#ignore net none
#ignore private-bin
#ignore seccomp
#...
# Redirect
include PROFILE.profile

43
etc/templates/syscalls.txt Normal file
View file

@ -0,0 +1,43 @@
Hints for writing seccomp.drop lines
====================================
@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
@module=delete_module,finit_module,init_module
@raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_mmio_read,s390_mmio_write
@reboot=kexec_load,kexec_file_load,reboot,
@swap=swapon,swapoff
@privileged=@clock,@module,@raw-io,@reboot,@swap,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,ftime,get_kernel_syms,getpmsg,gtty,lock,mpx,prof,profil,putpmsg,query_module,security,sgetmask,ssetmask,stty,sysfs,tuxcall,ulimit,uselib,ustat,vserver
@resources=set_mempolicy,migrate_pages,move_pages,mbind
@default=@cpu-emulation,@debug,@obsolete,@privileged,@resources,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,umount,userfaultfd,mincore
@default-nodebuggers=@default,ptrace,personality,process_vm_readv
@default-keep=execve,prctl
+---------+----------------+---------------+
| @clock | @cpu-emulation | @default-keep |
| @module | @debug | |
| @raw-io | @obsolete | |
| @reboot | @resources | |
| @swap | | |
+---------+----------------+---------------+
: :
+-------------+ :
| @privileged | :
+-------------+ :
: :
+----------+ :
| @default |........:
+----------+
:
+----------------------+
| @default-nodebuggers |
+----------------------+